Update Zendesk API Token and Provision Token #155
Conversation
| @@ -185,7 +185,7 @@ public function getProvisionToken($generate = false) | |||
| public function setProvisionToken($token = null) | |||
| { | |||
| if(!$token) { | |||
| $token = md5(time()); | |||
| $token = hash('sha256', rand()); | |||
There was a problem hiding this comment.
https://www.php.net/manual/en/function.random-bytes.php
Hi. It's usually good to use cryptographically secure APIs for this form of generation.
It's worth knowing this is already covered by Magento API within Core Helper:
Mage::helper('core')->getRandomString($len, $chars);
There's also Mage_OAuth helper which contains generators with even higher entropy (above is generally intended for highly random passwords but likely sufficient for this purpose). Mage::helper('oauth')->generateToken().
https://github.com/laurentlepee/magento-ce-1.9.2.4/blob/master/app/code/core/Mage/Oauth/Helper/Data.php
There was a problem hiding this comment.
awesome thanks for the tips Jason
There was a problem hiding this comment.
@yoshdog FYI we seem to be using md5 in https://github.com/zendesk/magento_extension/blob/334551303718c1d31d510be88d3c1267614775bf/src/app/code/community/Zendesk/Zendesk/controllers/SsoController.php#L58 and https://github.com/zendesk/magento_extension/blob/334551303718c1d31d510be88d3c1267614775bf/src/app/code/community/Zendesk/Zendesk/controllers/Adminhtml/ZendeskController.php#L155
No description provided.